Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

More Than One-Third of Vista Purchasers Downgrade to XP (August 18, 2008)

Statistics gathered by Devil Mountain Software indicate that nearly 35 percent of new PCs have been downgraded from Vista to Windows XP. Microsoft's end-user licensing agreement allows users who have purchased Vista Business and Vista Ultimate to downgrade to Windows XP Professional; those who purchased Vista Enterprise are permitted to downgrade to XP. Devil Mountain Software operates the exo.performance.network. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112885&intsrc=hm_list-http://www.infoworld.com/article/08/08/18/news-vista-downgrade-stat_1.html[Editor's Note (Pscatore): I know it is popular to bash Vista, but from a security perspective, this is pretty silly. Delaying upgrading to Vista is one thing, buying a new PC with the capacity to run Vista and going backwards to XP makes no sense. At this point the applications that don't work with Vista are all badly written applications that should be shunned anyway. ]

CAPTCHA Technology Doing Double Duty (August 14, 2008)

A new version of CAPTCHA technology, which is used to verify that certain online tasks are being performed by humans and not automated systems, is now being used to help decipher old books and newspapers. Instead of random combinations of characters, people are presented with a word that has stumped computerized transcription systems. When three users type in the same word, the system decides that it must be the correct answer. Most digitization projects rely on optical character recognition (OCR), which for books published prior to 1900 has an accuracy rate of 80 percent; the new tool improves the systems' accuracy rates to more than 99 percent. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. -http://technology.timesonline.co.uk/tol/news/tech_and_web/article4531184.ece************************** SPONSORED LINKS: ***************************** 1) Protecting Your Highly-Distributed Retail Network: Why PCI Compliance May Be No Bargainhttp://www.sans.org/info/31873

2) Visit the SANS Buyers Guide for updated listings and useful information when selecting the latest in IT security technologies.http://www.sans.org/info/31878

SPYWARE, SPAM AND PHISHING

New Zealand University eMail Server Used to Send Spam (August 15, 2008)

Four staff members at the University of Otago (New Zealand) fell prey to a spear phishing attack that tricked them into providing their login credentials. The attackers used the information to gain access to the University's computer email server and used it to send about 1.55 million spam emails. The phishing emails appeared to come from the University's IT department; the recipients were asked to provide user names and passwords or else their access to email would be revoked. University of Otago staff members have been warned that requests for login information are "most likely fraudulent." -http://www.odt.co.nz/print/17905[Editor's Note (Honan): The article states that staff members had previously been warned not to respond to suspicious email requests. The fact that four people fell for this phishing email demonstrates that your security awareness program needs to be a continuous process and not simply a series of once off exercises. ]

Irish Police Searching for Cyber Thieves

US Federal law enforcement authorities are searching for the culprits behind a rash of credit card data thefts from restaurants in Louisiana and Mississippi. The thieves apparently sought out businesses using unsecured wireless networks to steal the information that has been used to commit fraud totaling more than US $1 million. The group tried to sell the information on the Internet. US Attorney David Dugas said the case is likely to involve individuals overseas, as have other cases recently in the news. US Secret Service agents and representatives from Visa were scheduled to conduct a meeting for area restaurant owners to explain how they can protect customer data. -http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html[Editor's Note (Honan): The fact that these credit card numbers were stolen via unsecured wireless networks highlights not only the failure of technology to secure the data in this case, but also the failure of management to realise their ethical responsibilities and their obligations with regards to the PCI DSS standard. Unfortunately this failure is a symptom I regularly see amongst many small to medium businesses.]

Wuesthoff Health System in Florida is notifying approximately 500 patients that their personal information may have been compromised when unknown individuals gained access to its pre-registration website. The site, which has been taken down, allowed patients to provide registration information ahead of time for surgery, lab work and other procedures. Wuesthoff intends to track the intruders, but subpoenas necessary to gain the information will not be immediately available. Encryption is normally used to protect patient data on Wuesthoff systems, but the company recently installed Google Analytics, which may have opened a path for the intruders. -http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080815/BUSINESS/808150326/1006/NEWS01

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/